Can we learn from Microsoft and Google on security?

ID THREATPOST:3280216EACFF5DF56093E6803215DF70
Type threatpost
Reporter Ryan Naraine
Modified 2013-04-17T16:39:35


Tech security company Fortify and security consulting firm Cigital are getting ready to release a set of best practices that tech companies and other businesses can follow to ensure that the software they develop is secure.

The authors developed the model by studying the security practices at Google, Microsoft, Adobe, and other tech companies, as well as non-tech companies that write their own software like Wells Fargo, and Depository Trust & Clearing Corp.

After collecting data on each initiative’s software security activities for strategy and metrics, training, standards and requirements, security testing, code review, etc., the following themes emerged from successful initiatives:

1. The necessity of a Software Security Group: Each of the nine enterprises has a designated group of software security personnel–the SSG–tasked with carrying out and facilitating software security. Average SSG size is just over one percent of the size of the software development organization.

2. Advocacy over audit: Successful SSGs, even in regulated industries, always emphasize security education, technical resources, and mentoring rather than policing for security errors and handing out punishments.

3. Use of automated technologies: Each organization performs automated code review and deploys black box testing tools, but use of these technologies requires considerable SSG know–how.

4. Training for development: All organizations have an institutionalized security training curriculum for programmers, QA engineers, and project managers.

Over the next several months, Cigital and Fortify will gather data from other leading software security initiatives to enhance the study and provide additional insight on trends and activities particular to certain vertical industries and company sizes, among other factors.

The final product will be available at this Web site.